Configure Istio CA with Custom Certificates

For enhanced security, replace Istio's default self-signed certificates with administrator-provided certificates.

Default Istio Behavior

By default, Istio generates a self-signed root certificate and stores it in a Secret within a Kyma cluster. Istio uses this certificate to issue certificates for each workload in the service mesh.

Configuring a Custom CA

You can replace the default self-signed certificate provided by Istio and use a certificate issued by your organization. Istio supports the following PKI hierarchy:

Root CA: A self-signed certificate running outside of the cluster that issues intermediate certificates to the Istio CAs that run in each cluster. It's recommended that this certificate runs on an offline, secure machine.
Intermediate CAs: Issued by the Root CA to each Kubernetes cluster running Istio. It is recommended to keep the Intermediate CA certificates as short-lived as possible.
Workload Certificates: Automatically generated by Istio for each Pod and signed by the cluster's intermediate CA.

To configure a custom certificate in Kyma, you must create a Secret cacerts in each cluster's istio-system namespace. To create the Secret, you need the following input:

File	Description
`ca-cert.pem`	The intermediate CA certificate with permissions to sign server certificates. You can use any CA certificate in your organization's chain of trust.
`ca-key.pem`	The private key corresponding to `ca-cert.pem`. Istio uses it to sign new workload certificates.
`root-cert.pem`	The top-level root CA certificate in your trust chain.
`cert-chain.pem`	The complete certificate chain from your intermediate CA (`ca-cert.pem`) to the root CA (`root-cert.pem`).

To create the Secret for cluster cluster1, run:

bash

kubectl create secret generic cacerts -n istio-system \
    --from-file=cluster1/ca-cert.pem \
    --from-file=cluster1/ca-key.pem \
    --from-file=cluster1/root-cert.pem \
    --from-file=cluster1/cert-chain.pem

For more information, see Plug in CA Certificates.

Security Considerations

For live landscapes, it is recommended to use a production-ready CA and manage your root CA on a secure, offline machine. In addition, consider using an additional intermediate CA outside of the cluster and automate the submission of the CA certificates to the clusters.

Additionally, make sure to implement proper certificate rotation procedures according to your organization's security policies.

Istio Service Mesh

Tutorials

Technical Reference

Troubleshooting

Tutorials

Mutual TLS Authentication

Security

Custom Resources

APIGateway Custom Resource

APIRule Custom Resource

APIRule Migration

Technical Reference

Troubleshooting Guides

Working with Multiple Subaccounts

Resources

Tutorials

Troubleshooting

Technical Reference

Runtime Agent

Tutorials

Resources

Tutorials

Register a Service

VPC Peering

Resources

Tutorials

Tutorials

Resources

Troubleshooting for the Eventing Module

Resources

Troubleshooting

Tutorials

Resources

Technical Reference

Troubleshooting Guides

Collecting Logs

Collecting Traces

Collecting Metrics

Filtering and Processing Data

Transform and Filter with OTTL

Integrate with your OTLP Backend

Architecture

Integration Guides

Resources

Tutorials

Resources

Technical Reference

Tutorials

Commands

Configure Istio CA with Custom Certificates ​

Default Istio Behavior ​

Configuring a Custom CA ​

Security Considerations ​

Configure Istio CA with Custom Certificates

Default Istio Behavior

Configuring a Custom CA

Security Considerations